Bug 858228 - Validate empty host subject from qemu exactly like when no explicit host subject is specified
Validate empty host subject from qemu exactly like when no explicit host subj...
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: spice-gtk (Show other bugs)
Unspecified Unspecified
unspecified Severity low
: beta
: ---
Assigned To: Marc-Andre Lureau
Desktop QE
Depends On:
  Show dependency treegraph
Reported: 2012-09-18 07:19 EDT by David Jaša
Modified: 2013-02-21 03:49 EST (History)
6 users (show)

See Also:
Fixed In Version: spice-gtk-0.14-5.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 03:49:06 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Jaša 2012-09-18 07:19:40 EDT
Description of problem:
Validate empty host subject from qemu exactly like when no explicit host subject is specified

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
0, commont to both: generate CA and server certs to that CN= field in server cert subject matches your machine hostname (e.g Subject: O=rh,CN=my-laptop.example.com)

A: plain connection:
1. run qemu:
qemu-kvm -spice tls-port=SPORT,x509_dir=DIR,disable-ticketing
2. connect to the qemu:
remote-viewer --spice-ca-file DIR/ca-cert.pem spice://my-laptop.example.com/?tls-port=SPORT

B: migration
1. run source qemu:
qemu-kvm -monitor stdio -spice tls-port=SPORT1,x509_dir=DIR,disable-ticketing
2. run destination qemu:
qemu-kvm -monitor stdio -spice tls-port=SPORT2,x509_dir=DIR,disable-ticketing
3. connect to the source qemu:
remote-viewer --spice-ca-file DIR/ca-cert.pem spice://my-laptop.example.com/?tls-port=SPORT1
4. instruct source qemu to migrate the client without specifying host subject:
__com.redhat_spice_migrate_info my-laptop.example.com 0 SPORT2
Actual results:
A: r-v connects successfully because my-laptop.example.com FQDN matches CN in the certificate

B: r-v won't connect to the destination qemu with error:
(/usr/bin/remote-viewer:21596): Spice-Warning **: ssl_verify.c:484:openssl_verify: ssl: subject '' verification failed

Expected results:
A: the same
B: r-v should treat empty host subject as no host subject and verify CN= from Subject field with hostname

Additional info:
Comment 2 Marc-Andre Lureau 2012-10-18 13:42:45 EDT
patch sent to ML
Comment 3 Marc-Andre Lureau 2012-12-10 08:00:50 EST
in spice-gtk-0.14-5.el6
Comment 7 errata-xmlrpc 2013-02-21 03:49:06 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.